How Pharmacy HQ collects, uses, and protects your information.
In plain English: We collect the minimum data needed to run your pharmacy operations dashboard. We don't sell your data, we don't share it with advertisers, and your operational data belongs to you. This policy explains the details.
Pharmacy HQ is a software-as-a-service (SaaS) product providing staff operations dashboards for Australian pharmacies. It is operated by Pharmacy HQ Pty Ltd (ACN 698 203 164 · ABN 86 698 203 164), an Australian company with registered office at C/- Perrier Ryan Business Advisors, Level 1, 30 Lisburn Street, East Brisbane QLD 4169.
In this policy, "Pharmacy HQ", "we", "us" and "our" refer to Pharmacy HQ Pty Ltd. "You" refers to the pharmacy owner, manager, or staff member using our service.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
When you create a Pharmacy HQ account, we collect:
All data entered by you or your staff into the application is stored under your pharmacy's account and includes:
Important: Pharmacy HQ stores both operational data (staff records, tasks, diary entries, cash reconciliation) AND, when you enable the relevant features, patient-adjacent operational data (Webster patient profiles including Medicare/DVA/NDIS, Care Transfer records, Staged Supply dispensing events, vaccination claim records). All such data is stored under your pharmacy's account with strict access controls. We are not a regulated health records platform; the dispensing system at your pharmacy remains the system of record for full clinical medication history. See Section 9 below for the full list of patient-adjacent data categories.
Sensitive information (APP 3.3). Where the pharmacy chooses to record a patient's Aboriginal and/or Torres Strait Islander identification (used to confirm IDAA — Indigenous Dose Administration Aid — program eligibility), that information is "sensitive information" under the Australian Privacy Principles. The pharmacy is the APP entity collecting it; Pharmacy HQ acts as the data processor on the pharmacy's behalf. Pharmacies must obtain the patient's consent before recording this field and may only use it for the specific purpose of confirming IDAA program eligibility. Pharmacy HQ enforces this by gating the field behind an explicit consent prompt at the Webster enrolment form. Concession status and living-setting metadata are not classified as sensitive information under the APPs but are still treated with the same access controls as other patient-adjacent data.
When you use our application, we or our infrastructure providers may automatically collect:
| Data type | Collected by | Purpose |
|---|---|---|
| Auth tokens & session data | Firebase Authentication (Google) | Keeping you signed in securely |
| Realtime database (all app data) | Firebase Realtime Database (Google) | Live sync across devices |
| Payment & billing data | Stripe, Inc. | Processing subscription payments |
| Email delivery logs | Resend, Inc. | Welcome, trial, billing, and claim-nag emails |
We use the information we collect for the following purposes:
We will never sell your data to third parties, use it to serve you advertisements, or share it with anyone who is not listed in Section 4 of this policy.
Pharmacy HQ provides four AI-powered surfaces, all backed by Anthropic's Claude model:
For Help / Policy / Workflow chats, the text of your question and the contextual data the assistant needs to answer (which may include patient names, prescription details, or operational records) is transmitted to Anthropic's API in the United States. For PreCheck, the data residency and identifier-stripping controls described in §4b apply.
Under Anthropic's commercial terms in effect at the date of this policy, requests and responses are not used for model training and are not retained beyond the time required to deliver the response (subject to Anthropic's standard logging for abuse prevention).
We log metadata only — timestamp, surface (help / policy / workflow / pre-check), tokens consumed, latency. We do not log the prompt or the response text on our side. This is a deliberate PHI-hygiene choice; the trade-off is we can't audit the content of historical AI queries.
Pharmacy owners can disable AI features for the entire pharmacy in Pharmacy Settings → AI Chat. Once disabled, no Anthropic API calls occur from your pharmacy's account. PreCheck is independently opt-in per patient (§4b).
PreCheck is an assistive workflow tool that captures an end-of-pack photograph of a Webster (dose administration aid) pack and runs AI image analysis to count pills per cell + flag potential discrepancies. The pharmacist reviews every result and is solely responsible for verifying the pack before it leaves the pharmacy. PreCheck is not a medical device and does not constitute a clinical determination.
PreCheck is gated on per-patient consent. The pharmacist obtains the patient's documented consent at Webster enrolment and records it on the patient's Webster profile inside Pharmacy HQ (a structured field: granted, at, by, with a withdrawal field if consent is later revoked). PreCheck capture refuses to upload a photo for a patient whose consent is not granted. Consent is patient-level (not pharmacy-level) and is withdrawable at any time via Pharmacy Settings or by request to the pharmacy.
What we send to the AI provider: the cropped image of the pack grid only (the rectangle inside the violet outline shown on the camera preview), plus the expected pill counts per slot as a JSON array. The image is cropped client-side using a fixed bounding rectangle before it is uploaded to our servers; everything outside the violet outline is discarded before the image data exists.
What we do NOT send: the patient's name, date of birth, Medicare number, AHPRA number, or any other personal identifier. There is no patient ID, no store ID, and no timestamp in the AI payload that could correlate the image with a patient. We additionally run a server-side OCR redaction check on the cropped image (Google Cloud Vision textDetection) before any AI call; if the OCR detects identifier-shaped text (patient name, DOB pattern, Medicare pattern, or AHPRA pattern) we BLOCK the AI call and prompt the pharmacy staff member to reframe and re-capture.
The PreCheck AI call goes to Google Cloud Vertex AI in the australia-southeast1 (Sydney) region, hosting Anthropic's Claude model. This is the same Sydney Google Cloud project where the rest of your pharmacy data is stored — your patient data does not leave Australia for the PreCheck pipeline.
Vertex AI publisher logging is disabled on the PreCheck call (header: X-Vertex-AI-Logging-Off: true), and under Anthropic's Vertex policy in effect at the date of this policy, requests and responses are not used for model training and are not retained beyond the time required to deliver the response.
Pharmacy HQ retains the cropped photograph in your pharmacy's storage bucket alongside the AI result for the audit trail. Photographs are deleted in line with our standard retention schedule (§6) or earlier on request.
Every PreCheck capture records a structured privacy field — consent state at capture time, crop bounds applied, OCR preflight result, AI provider, AI region, and retention policy. Pharmacy owners can generate a Privacy Audit Pack (PDF) from the PreCheck tab covering the last 30 days of activity, suitable for OAIC, AHPRA, or insurer enquiries.
Individual patients can withdraw consent at any time by asking their pharmacy to un-tick the PreCheck consent on their Webster profile; subsequent captures for that patient are blocked. Pharmacies can disable PreCheck for the entire store in Pharmacy Settings → PreCheck.
The full Privacy Impact Assessment for PreCheck — covering personal information flows, the risk register, mitigations, and the Australian Privacy Principles compliance map — is published at /pharmacyhq-fixes/precheck-pia.html. It is updated when PreCheck Phase 2 (AI go-live) ships and at each new pharmacy onboarding.
Your data is stored in Firebase Realtime Database, hosted by Google. All data is protected by:
Edge security and inbound mail processing. DNS for pharmacyhq.com.au is hosted on Cloudflare; inbound automated emails (e.g. fridge temperature logs from Clever Logger) are routed through Cloudflare Email Routing and processed by a Cloudflare Worker before being forwarded to our Cloud Functions for ingestion. Cloudflare may temporarily process the email contents in transit; we do not retain Cloudflare's processing logs beyond what their standard logging provides.
While we take reasonable technical measures to protect your data, no internet transmission or electronic storage method is 100% secure. If you become aware of any security vulnerability, please contact us immediately at security@pharmacyhq.com.au.
You can request earlier deletion of your data at any time by contacting privacy@pharmacyhq.com.au. Billing records may be retained longer if required by law.
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights:
You can request a copy of the personal information we hold about you. We will provide this within 30 days of your request. Your operational data is accessible directly through the application at any time.
If any information we hold about you is inaccurate or out of date, you can correct it yourself within the application or ask us to correct it.
You can request that we delete your account and associated data. Some data may be retained where required by law (e.g. financial records).
If you believe we have handled your personal information in breach of the Privacy Act, you can lodge a complaint with us at privacy@pharmacyhq.com.au. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.
To exercise any of these rights, email privacy@pharmacyhq.com.au. We will respond within 30 days and may need to verify your identity before acting on your request.
Pharmacy HQ is primarily a workflow and operations dashboard. We are not a clinical management system, regulated health records platform, or dispensing software. However, several features that you (the pharmacy) can optionally enable do require us to store patient-adjacent operational data.
What we may store, when your pharmacy uses the relevant feature:
What we still do not store:
All patient-adjacent data is gated by Firebase Security Rules so that one pharmacy cannot read another pharmacy's records. Per-feature sensitivity controls (e.g. the Staged Supply path is admin-SDK-write-only — every write goes through an authenticated Cloud Function with an audit log) give an extra layer for the most sensitive paths.
Pharmacy owners remain responsible for ensuring their use of the application complies with applicable pharmacy board and privacy regulations. We provide the platform; you remain the data controller for patient information under the Privacy Act.
If you have specific compliance questions for your pharmacy, we recommend seeking independent legal advice or contacting the Pharmacy Guild of Australia.
Pharmacy HQ is a professional business tool intended for use by adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us at privacy@pharmacyhq.com.au and we will promptly delete the account.
We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. When we make material changes, we will:
Continued use of Pharmacy HQ after the effective date of any changes constitutes your acceptance of the updated policy.
For any privacy-related questions, requests, or complaints:
We aim to respond to all privacy enquiries within 5 business days.
Office of the Australian Information Commissioner (OAIC)
If you are not satisfied with our response to a privacy complaint, you may contact the OAIC:
Website: www.oaic.gov.au · Phone: 1300 363 992 · GPO Box 5218, Sydney NSW 2001